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LINEAR DECOMPOSITION ATTACK ON PUBLIC KEY 
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Abstract. We show that a linear decomposition attack based on the 
decomposition method introduced by the author in monography |J] and 
paper [2j works by finding the exchanging keys in the both two main 
protocols in [3] and [4]. 


1. Introduction 

In this paper we present a new practical attack on two main protocols 
proposed in [3j and [3j. This kind of attack introduced by the author in [I] 
and [2] works when the platform groups are linear. We show that in this 
case, contrary to the common opinion (and some explicitly stated security 
assumptions), one does not need to solve the underlying algorithmic prob¬ 
lems to break the scheme, i.e., there is another algorithm that recovers the 
private keys without solving the principal algorithmic problem on which the 
security assumptions are based. This changes completely our understand¬ 
ing of security of these scheme. The efficacy of the attack depends on the 
platform group, so it requires a specific analysis in each particular case. In 
general one can only state that the attack is in polynomial time in the size of 
the data, when the platform and related groups are given together with their 
linear representations. In many other cases we can effectively use known lin¬ 
ear presentations of the groups under consideration. A theoretical base for 
the decomposition method is described in [5] where a series of examples is 
presented. The monography p] solves uniformly protocols based on the con- 
jugacy search problem (Ko, Lee et. al. [6], Wang, Cao et. al m ), protocols 
based on the decomposition and factorization problems (Stickel [8j, Alvares, 
Martinez et. al. [9], Shpilrain, Ushakov [10] , Romanczuk, Ustimenko m), 
protocols based on actions by automorphisms (Mahalanobis [12], Rososhek 
m, Markov, Mikhalev et. al. m), and a number of other protocols. See 
also [15] where the linear decomposition attack is applied to the two main 
protocols in m- 

In [4], D. Kahrobaei, H.T. Lam and V. Shpilrain described a public key 
exchange protocol based on an extension of a semigroup by automorphisms 
(more generally endomorphisms). They proposed a non-commutative semi¬ 
group of matrices over a Galois field as platform. 
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In this paper we present a polynomial time deterministic attack that 
breakes the two variants of the protocol presented in the papers (3j and 0. 
All along the paper we denote by N the set of all positive integers. 


2. General key exchange protocol 0,0. 

In this section, we describe a not platform-specific key exchange protocol 
proposed in 0 and improved in 0. We consider the more general version of 
this protocol presented in 0. The corresponding version from 0 has been 
analyzed in 0. Then we will give a cryptanalysis of this protocol under 
additional assumption of linearity of the chosen platform. 

Let G be a (semi)group and g be a public element in G. Let <fi be an 
arbitrary public endomorphism of G. Let G^ = G A sgp(<p ) be the semidirect 
product of G and the semigroup sgp(f>) generated by cj>. Recall that each 
element of G^ has a unique expression of the form (</> r , /) where r £ N U {0} 
and f £ G. Two elements of this form are multiplied as follows: (4> r , f) ■ 
h) = Of+*,<f (,/>). 

• Alice chooses a private m £ N, while Bob chooses a private n £ N. 

• Alice computes (4>, g) m = 4> m ^ 1 (g) ■ ■ ■ 4> 2 {g) ■ <f{g) ■ g) and sends 

only the second component a m = f rn ~ 1 {g) ■ ■ ■ (j) 2 (g) ■ 4>(g) ■ g of this 
pair to Bob. 

• Bob computes ( 4>,g) n = (<f n , < i> n ~ 1 (g) ■ ■ ■ (j) 2 {g) ■ <i>{g) • g) and sends 
only the second component a n = (j) n ~ 1 (g) ■ ■ ■ 4> 2 (g) ■ cj>(g) ■ g of this 
pair to Alice. 

• Alice computes (*, a n )(0 m , a m ) = (*, <p m (a n )a m ). She does not actu¬ 
ally ’’compute” the first component of the pair. 

• Bob computes (*,a m )((j) n ,a n ) = (*,<p n (a m )a n ). He does not actually 
’’compute” the first component of the pair. 

• Since 0 m (a n )a m = cj) n (a m )a n = a m+n , we should have K AUce = 
^Bob = CLm+m the shared secret key. 

This algorithm can be named the noncommutative shift. 

Now we show how the shared secret key K = KAlice = ATro 6 can be com¬ 
puted in the case when G is a multiplicative subgroup of a finite dimensional 
algebra A over a held F and the endomorphism (f> is extended to an endo¬ 
morphism of the underlying vector space V of A. Furthermore, we assume 
that the basic held operations in F are efficient, in particular they can be 
performed in polynomial time in the size of the elements, e.g., F is hnite. In 
all the particular protocols considered in this paper the held F satishes all 
these conditions. 

Using Gauss elimination we can effectively hnd a maximal linearly in¬ 
dependent subset L of the set {ao, ai,..., a*,,...}, where ao = g and a*, = 
<; b k l {g ) • ... • <f>(g) ■ g for k > 1. Indeed, suppose that {ao, ...,afc} is linearly 
independent set but ak+i can be presented as a linear combination of the 
form 
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k 


Ofc +1 = ^ A ?: a, ; . for Aj € F. 

i=0 

Suppose by induction that ak+j can be presented as above for every j < 
t — 1. In particular 


Then 


k 

ak+t -1 = for A* G F - 

i=0 


k 

&k+t — 4 > (® J k+t—l) ' 9 — ^ ' 9 — 

2=0 

fc fc —1 

^ ^ 9i^i +1 = T ^ ^ (/A T Aj-(-l)cij4-l. 

2=0 2=0 

Thus L = {a 0 , ...,a k }. 

In particular, we can effectively compute 

k 

a n = for Vi ^ 

2 = 0 

®m+n = 4 * (®n) ' 

■ k 

(2) ^ ' 9i4* iP'i) ' ^ Vi4 > (®m) ‘ ®2• 

2 = 0 2=0 

Note that all data on the right hand side of ([2]) is known now. Thus we 
get the shared key K = a m+n . 

In the original version of this cryptosystem [3| G was proposed to be 
the semigroup of 3 x 3 matrices over the group algebra F 7 IA 5 ], where A 5 is 
the alternating group on 5 elements. The authors of [3] used an extension 
of the semigroup G by an inner automorphism which is conjugation by a 
matrix H € GL^FyfAs]). Therefore, in this case there is a polynomial time 
algorithm to find the shared key K from the public data. 

3. Key exchange protocol using matrices over a Galois field 

AND EXTENSIONS BY SPECIAL ENDOMORPHISMS [3]. 

In this section, we describe the key exchange protocol using matrices over 
a Galois field and extensions by special endomorphisms proposed in [3]. 

Let G be a multiplicative semigroup of the matrix algebra A = M 2 (F) 
of all 2 x 2 matrices over the Galois held F = F 2 i27. Let ip = on be the 
automorphism of G which is a composition of a conjugation by a matrix 


( 1 ) 

Then 
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H £ GL 2 (F) with the endomorphism if} that raises each entry of a given 
matrix to the power of 4. The composition is such that i/’ is applied first, 
followed by conjugation. Note that both these maps naturally extend to 
automorphisms of A. 

This protocol can be attacked by the linear decomposition attack as it 
has been explained in Section 2. 

In [4j, the situation is considered where the automorphism tp is just con¬ 
jugation by a public matrix H £ GL 2 0F). Let g = M £ G. By direct 
computation one get a/~ = H~ k (HM) k for every k £ N. 

This protocol is vulnerable to a linear algebra attack as follows. The 
attacker, Eve, is looking for matrices X and Y such that XH = HX , 
Y(HM) = (. HM)Y , and XY = H~ m (HM) m . The first two matrix equa¬ 
tions translate into a system of linear equations in the entries of X and Y 
over F. After solving this system and finding invertible solution X and Y, 
Eve can recover the shared secret key K as follows: Xa n Y = H~ n (XY)(HM) n 
H~ n H~ m (HM) m (HM) n = H~( m+n \HM) m+n = a m+n = K. The above 
algorithm contains a couple of difficulties. Firstly, a solution X might be 
invertible. Secondly, all this computations should be done online during 
every session. 

In contrast to the linear algebra attack, the linear decomposition attack is 
very simple. We describe even a more simple version of this attack working 
in this specific situation. 

Consider the linear space W = Spp (gp(H) ■ sgp(HM)) generated by all 
elements of the form H k (HM) 1 where k, l £ Nu{0}. One can find effectively 
a basis e\ ,e* of IT. Obiously, t < 4. Moreover, since every matrix is a root 
of a characteristic polynomial of degree 2 one can choose basic elements in 
the form e* = H ki (HM) li ,ki,li £ {0,1}, i = 1 Now we have public 
dates a m and a n where m, n £ N. We can effectively compute 

t t 

(3) a n = rgej = ^ rjjH~ ki (HM) li , for rn £ F, i = 1,..., t. 

i=1 2—1 

Then 

t t 

'^2r h H- ki a m (HAd) li = ^ j r li H- ki (H~ m {HM) m ){HM) li = 

i=1 i=l 

t 

= H- m C^2r)iH- ki (HM) li )(HM) m = 

2—1 

(4) = H~ m H- n (HM) n {HM) m = H-^ m+n \HM) m+n = a m+n . 

Thus one has the shared key K = a m+n . Note that the basis ei,...,et 
is constructed one time offline. We don’t need to look in any invertible 
solution. 
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Ill [1], the last protocol was changed to avoid the linear algebra attack. As 
before H , M £ G , where H is invertible and M is assumed to be not invert¬ 
ible. The automorphism is ajj, the inner automorphism corresponding to 
H. 


• Alice chooses a private m £ N, while Bob chooses a private n £ N. 
Alice also selects a private nonzero matrix R such that R-(HM) = 0 
(the zero matrix), and Bob selects a private nonzero matrix S such 
that S • ( HM ) = 0. Such matrices R, S exist because the matrix HM 
is not invertible. 

• Alice computes (ip,M) m = (</? m , ip m ~ 1 (M) ■ ■ ■ ip 2 (M) ■ <p(M) ■ M ) 
where the second component of this pair is a m = ip m ~ 1 (M) ■ ■ ■ p 2 (M)- 
<p{M) ■ M = H~ m (HM) m , and sends a m + R to Bob. 

• Bob computes (</?, M) n = (ip n , • ■ • tp 2 {M) -<p(M) -M), where 

the second component is a n = ■ ■ ■ tp 2 (M) ■ p(M) ■ M = 

H~ n (HM) n , and sends a n + S to Alice. 

• Alice computes (*,a n + S)((p m , a m ) = (*,(p m (a n + S)a m ). She does 

not actually ’’compute” the first component of the pair. She only 
needs the second component of the pair, which is // ( HM) m+n + 

(. H~ m SH m ) ■ (H~ m (HM) m ). Since S ■ ( HM ) = 0, so Alice gets 
Kai ice — ^m+n* 

• Bob computes (*, a m + R)(ip n , a n ) = (*, p n (a m + R)a n ). He does not 
actually ’’compute” the first component of the pair. Similarly, he 
gets Kfiob — O’m+n- 

• Alice and Bob have the shared secret key K = KAlice = Ksob = 

&m+n* 

It is shown in [4] that the linear algebra attack as above does not work 
against this protocol. Unfortunately, this protocol is vulnerable against the 
linear decomposition attack as follows. 

Consider the linear space W generated by all elements of the form H~ k (HM) k 
where k = 1,2,.... Note that a m ,a n £ W. Let U be the annihilator space of 
HM consisting of all matrices A £ A such that A ■ (HM) = 0. Note that 
R, S £ U. Let Z = W + U. One can find effectively a basis ei,..., ej, /i,..., ft 
of Z, where e t £ W,i = 1,..., Z; fj £ U,j = 1 Let e* = H~ ki (HM) ki , 
where ki £ N, i = 1,..., 1. 

Now we have public dates a m + R and a n + S where m, n £ N, and we 
know that R, S £ U. We can effectively compute 

i t i 

(5) a n + S = Yi Vid + E v & = E ^ H ~ ki 

2—1 j = 1 2— 1 

where rji,Vj £ F for i = 1and j = 1 and 5i £ U. It is possible 
that Si / S. 


6 


VITALII ROMAN’KOV 


Then 

l 

+ R)(HA) ki = 

i= 1 

l 

= H- m Q2rnH- ki {HA) ki ){HM) m = 

i= 1 

(6) H~ m {H~ n {HM) n - Si)(HM) m = H-^ m+n \HM) m+n = a m+n . 

Thus one has the shared secret key K = a m+n . Note: 1) the basis 
ei, ei, fi,ft is constructed one time offline, 2) we don’t need to look in 
invertible solution of considered sets of linear equations along the algorithm 
works. We apply the usual Gauss elimination process to find unique solution 
every time when we solve sets of linear equations in the algorithm. Hence, 
this algorithm is deterministic. Moreover, in the case where the platform is 
such or similar as proposed in [3] the algorithm is practical. Note: we don’t 
compute m and/or n to recover K. 
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